diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index c29116e11b72fde2554f250fdf5bdf2131e20255..19680e306d9cb0683b0f2c845762e7a00a5b1bcc 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -742,7 +742,14 @@ Parameters
   Minimum *Security Strength Factor* to require from all incoming
   connections. This applies for both remote and local connections.
 
-**ldap_tls_ciphers** (string, optional ``NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL``)
+**ldap_tls_ciphers** (string, optional ``NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+SHA512:+AEAD:+AES-128-GCM:+AES-256-GCM:+CHACHA20-POLY1305:+CURVE-ALL``)
+
+  .. warning::
+     Under Debian Stretch, the DHE ciphers are not usable due to a bug
+     present in OpenLDAP 2.4.44. See
+     https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979
+     for details.
+
   TLS ciphers to enable on the LDAP server. This should be a GnuTLS-compatible
   cipher specification that should also include what TLS protocol versions
   should be used. Value should be compatible with OpenLDAP server option